Saturday, September 11, 2010

Count the number of members in an AD Group

http://windowsmvp.spaces.live.com/blog/cns!80195647FE07388F!124.entry

Purpose: Helps you enumerate all the groups in your active directory domain and checks each group's membership count. You set a value to compare, if the members in the group is more than what you specify, the script will prompt you the group name and the count.

How to use:
  1. Save the script anywhere, name it CheckCount.vbs
  2. I assume you save it to c:\script
  3. Open a command prompt and navigate to c:\Script
  4. Type in "cscript CheckCount.vbs > results.txt"
  5. Wait till operations finish, use notepad to open results.txt

Done. Enjoy. Of course, there are many rooms to improve. I realise this Counting of Members in Group code wasn't easily found on the net, so i'm sharing it here.

You can download the script here.

http://sgwindowsgroup.org/forums/thread/3240.aspx

'************************************************************
'
' Name: Dennis Chung (Dennis@mvps.org)
' MCP, MCSA, MCSE, MCTS, MCITP, MCDBA, MCT, MVP
' Version: 1.0
' Description: Grabs every security group in AD and outputs
' to screen any group containing more members
' than specified value.
' Date: 07 July 06
'
'************************************************************

'********************************************************
'Membercount specified the number of member in a group
'Any group containing members more than this number will
'trigger the prompt
'********************************************************

MemberCount = 950
'********************************************************

'This is the domain in which the script will run against
'In order for the script to run successfully, you need to
'login to the domain directly
'********************************************************

Domain = "dc=contoso,dc=msft"
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE

'********************************************************
'This is the query that grabs every single group.
'You can use "Name=gp*" as part of the query to pull out
'group that starts with gp*
'********************************************************

objCommand.CommandText = _
"SELECT distinguishedName FROM 'LDAP://" & Domain & "' WHERE objectCategory='group'"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF '***************************************************************************
'For every group that was retrieved from the domain, check the members count
'*************************************************************************** Set objGroup = GetObject("LDAP://" & objRecordSet.Fields("distinguishedName").Value)
Set adsMember = objGroup.Members '**************************************************************
'If the count is larger than the MemberCount, it'll be prompted
'************************************************************** If adsMember.Count > MemberCount Then
WScript.echo objRecordSet.Fields("distinguishedName").Value & " - " & adsMember.Count
End If

objRecordSet.MoveNext

Loop